How to Calculate Your SPRS Score (Step-by-Step)
The Supplier Performance Risk System (SPRS) score is a numerical representation of how well your organization implements the 110 security controls in NIST SP 800-171. It's the metric the Department of Defense uses to evaluate your cybersecurity posture — and it's a critical input for CMMC Level 2 compliance.
Your score ranges from **+110** (every control fully implemented) down to **-203** (nothing implemented). Yes, it can go negative.
Each of the 110 NIST 800-171 controls has a point value of **1, 3, or 5 points**, assigned by DoD based on the control's security impact. The total possible points add up to 110.
Here's how scoring is calculated:
- **Start at 110** (assumes all controls are implemented)
- **Subtract points** for each control that is NOT fully implemented
- **The result is your SPRS score**
If a control is on your POA&M (planned but not yet implemented), it still counts as a deduction.
| Family | Controls | Max Points | High-Value Controls (5 pts) |
|---|---|---|---|
| Access Control (AC) | 22 | 34 | AC.3.1.1, AC.3.1.2, AC.3.1.3 |
| Awareness & Training (AT) | 3 | 3 | — |
| Audit & Accountability (AU) | 9 | 13 | AU.3.3.1, AU.3.3.2 |
| Configuration Management (CM) | 9 | 11 | CM.3.4.1 |
| Identification & Auth (IA) | 11 | 19 | IA.3.5.1, IA.3.5.2, IA.3.5.3 |
| Incident Response (IR) | 3 | 3 | — |
| Maintenance (MA) | 6 | 6 | — |
| Media Protection (MP) | 9 | 9 | — |
| Personnel Security (PS) | 2 | 2 | — |
| Physical Protection (PE) | 6 | 6 | — |
| Risk Assessment (RA) | 3 | 5 | RA.3.11.1 |
| Security Assessment (CA) | 4 | 4 | — |
| System & Comm Protection (SC) | 16 | 22 | SC.3.13.1, SC.3.13.8, SC.3.13.11 |
| System & Info Integrity (SI) | 7 | 9 | SI.3.14.1 |
| **Total** | **110** | **110** |
Go through all 110 controls and determine if each is:
- **Implemented** — The control is fully in place and operating as intended
- **Not Implemented** — The control is missing, partial, or planned (on POA&M)
There's no partial credit. A control is either fully implemented or it's not.
List every control that is NOT fully implemented. Look up each control's point value using the DoD Assessment Methodology (available in NIST SP 800-171A or the DoD SPRS scoring guide).
Add up the point values of all unimplemented controls.
**SPRS Score = 110 - (sum of unimplemented control point values)**
Suppose your organization has not implemented:
- AC.3.1.1 (5 points)
- AU.3.3.1 (5 points)
- CM.3.4.5 (1 point)
- SC.3.13.8 (5 points)
- SI.3.14.7 (1 point)
Deductions: 5 + 5 + 1 + 5 + 1 = **17 points**
**SPRS Score = 110 - 17 = 93**
| Score Range | What It Means |
|---|---|
| **110** | Perfect — all controls implemented |
| **90-109** | Strong posture with minor gaps |
| **70-89** | Moderate gaps — common for organizations in progress |
| **50-69** | Significant gaps — substantial work needed |
| **Below 50** | Critical gaps — major security concerns |
| **Negative** | Minimal controls in place — high risk |
There's no official "passing" SPRS score for all contracts. However:
- Most prime contractors expect subcontractors to have a score of **70+**
- A score below 70 may require explanation and a robust POA&M
- Your contracting officer may specify a minimum in the solicitation
The highest-impact improvements come from implementing 5-point controls. There are approximately 15 controls worth 5 points each — implementing just these could swing your score by 75 points.
- **AC.3.1.1** — Limit system access to authorized users (5 pts)
- **IA.3.5.1** — Identify system users and processes (5 pts)
- **IA.3.5.2** — Authenticate users and processes (5 pts)
- **SC.3.13.1** — Monitor communications at boundary (5 pts)
- **SC.3.13.11** — Employ FIPS-validated cryptography (5 pts)
Implementation without evidence doesn't count. For each control:
- Write a specific implementation statement
- Capture evidence (screenshots, configs, policy documents)
- Assign a responsible party
Controls on your POA&M still count as deductions, but a solid POA&M shows assessors you're aware of gaps and actively remediating them. Include realistic milestones and resource commitments.
Our compliance dashboard calculates your SPRS score automatically as you work through the platform:
- **110-control tracker** — Mark each control's implementation status
- **Real-time SPRS gauge** — Watch your score update as you implement controls
- **Score history** — Track improvement over time
- **Per-family breakdown** — See which control families need the most attention
- **Guided questionnaires** — 566 questions help you assess and document each control
The platform identifies your highest-impact opportunities — so you know exactly where to focus to maximize your score improvement.
*Want to see your SPRS score in real time? Start tracking with our compliance platform or download a free sample.*